The secret to online safety: Lies, random characters, and a password manager

Or, how to go from "123456" to "XBapfSDS3EJz4r42vDUt."

It's time to ask yourself an uncomfortable question: how many of your passwords are so absurdly weak that they might as well provide no security at all? Those of you using "123456," "abc123," or even just "password" might already know it's time to make some changes. And using pets' names, birth dates, your favorite sports teams, or adding a number or capital letter to a weak password isn't going to be enough.

Don’t worry, we're here to help. We’re going to focus on how to use a password manager, software that can help you go from passwords like "111111" to "6WKBTSkQq8Zn4PtAjmz7" without making you want to pull out all your hair. For good measure, we'll talk about how creating fictitious answers to password reset questions (e.g. mother's maiden name) can make you even more resistant to hacking.

Why you can’t just wing it anymore

A password manager helps you create long, complicated passwords for websites and integrates into your browser, automatically filling in your usernames and passwords. Instead of typing a different password into each site you visit, you only have to remember one master password.

Why bother? The algorithms and tools hackers use to crack passwords are becoming ever more sophisticated and powerful, as we explained last year in "Why passwords have never been weaker—and crackers have never been stronger." Even people with no experience cracking passwords can do so with the tools available today. And as Wired's Mat Honan discovered from personal experience, the interconnectedness of online accounts coupled with insecure password reset mechanisms creates gigantic risk. Once a hacker gets into one of your accounts, all of them may be vulnerable.

Too often people reuse a password across even their most important accounts, or use a base word and add a number or symbol for different sites. A weak password can be exposed by so-called "brute-force cracking," in which computers try all possible passwords until the right one is found. “Dictionary attacks” are more common, however. These use lists of millions or even billions of previously cracked passwords. Even worse, there have been numerous examples of vendors practically gift wrapping password information, storing users' passwords in plain text or suffering security breaches that expose cryptographically hashed password data for millions of people.

Even if your password is exposed only in an obscured, "hashed" form, it's vulnerable to hackers converting it to plain text. This is especially true for weak passwords, although we've seen that even relatively strong passwords can be cracked. If a password you use across many sites is exposed in this way, you could see hackers take access of your e-mail, financial accounts, and social networking profiles.

"Passwords are a terrible system. I mean, passwords are awful," said Jeffrey Goldberg, Chief Defender Against the Dark Arts (yes, that's his real title) at AgileBits. His company makes a password management software called 1Password.

So why does Goldberg spend his career helping users manage passwords? As bad as passwords are, no one has come up with anything good enough to replace them across the whole Internet. Goldberg hoped for some 15 years that client certificates (digital signatures to identify users and Web services) would do the trick, but the technological and implementation barriers proved too great.

Two-factor authentication systems combining passwords with a second verification method (like one-time security codes sent to your cell phone) are improving matters, but while they've been adopted by the likes of Apple, Google, and Microsoft, you won't find them on every site you care about. PayPal's top security chief is working on a plan to "obliterate passwords from the face of the planet," but that won't realistically happen any time soon.

"People have been trying to replace passwords for a long time, and they all run into the same handful of fundamental problems," such as challenges in setting up a network of trusted third parties (similar to certificate authorities) to sign user credentials, Goldberg said. Thus, the need for passwords and for users to practice good password security "isn't going to disappear over the next few years." Password managers make a terrible system less terrible in Goldberg’s view.

We recently gave three hackers a list of 16,000 hashed passcodes, and they cracked nearly 90 percent of them. To stay in the safe zone, we recommended that passwords contain a "minimum of 11 characters, contain upper- and lower-case letters, numbers, and letters, and aren't part of a pattern." Password managers will help you create truly random passwords that go well beyond 11 characters.

1Password is one of numerous password management systems. Others include LastPass and KeePass. Now, password managers aren't perfect—there is no such thing as perfect online security in 2013—and they aren't necessarily right for everyone. But if used properly, they would undoubtedly improve security for a large population of people using weak passwords. There may be dozens of websites that you have to log into; without a password manager or some other system, creating strong passwords for each one and remembering them would be a nightmare.

"The way our brain works, most of us, you won't be able to remember completely unique passwords for each and every site," Per Thorsheim, a security expert who organizes the annual PasswordsCon conference, told Ars. "We need some logic, we need something to make our brains able to remember those passwords."

Thorsheim is a user of LastPass. He notes that password managers often rely on cloud-based systems to sync logins across devices, introducing a small risk that criminals could target a single point of weakness by hacking into your password service. But the benefits of a system that creates ultra-strong, unique passwords for each site you visit outweigh this risk. And this risk is small. Your data is encrypted on your own computer before being sent to cloud servers and your master password is never stored by any cloud service. "I trust their encryption scheme," Thorsheim said of LastPass. "I also trust in what I see from AgileBits and others."

Making a password manager part of your routine

I bought 1Password for myself several years ago to help me strengthen my security, particularly for banking and other financial accounts. So let’s look at how to use a password manager with 1Password as an example. Note that this is not an endorsement of 1Password over other systems, as we'll talk about how different password managers offer different approaches.

1Password comes in two parts, a desktop application and a browser plugin that automatically fills your passwords into Web forms such as your e-mail, Facebook, or bank site. 1Password stores all of your passwords in an encrypted file, which can only be accessed with a master password. The first step is choosing a master password that's ultra-strong and that you're capable of remembering. Tips on how to choose a master password are coming (on page 3) but for now, let's look at how 1Password and other password managers integrate into your workflow.

Each time you use 1Password, you'll type in your master password to get started:

Within the application, you'll see the list of sites for which you have saved username and password information. You'll also notice categories like "secure notes" and "wallet," the latter of which is a good place to store credit card information.

If you double-click a site name in that list (underneath where it says "144 items by Title") the website will open in your default browser, and your username and password data will be automatically entered.

Pressing the "Edit" button or double clicking on the right hand side of the 1Password application will bring you into an individual site's entry. Here you can edit username and password data or create a stronger password.

Next to the password field will be a button labeled "Generate." Clicking this will bring you into 1Password's random password generator:

The generator lets you adjust the rules for creating passwords. You can specify lengths from 1 to 50 characters and specify how many digits or symbols should go into the password. It's a good idea to make your passwords as long as possible, although some sites may limit you to 16 characters or some other amount.

You can even choose "pronounceable" passwords, which will give you something like "eck-vor-ev-ig-vin-jo."

The password creator offers no option for "random numbers of digits and symbols," so if you want each password to have different configurations you'd have to change the amount of digits and symbols each time. Goldberg explained that this small concession was made so that 1Password's browser plugin can more easily create passwords to fit the requirements of various sites (e.g. "password must contain at least two symbols and one number").

"The short answer is yes, we lose something here in strength, but when you do the math on realistic examples it turns out to be a small loss," Goldberg said. "The gain is that it is more likely for a generated password to meet the site's requirements on the first shot. Of course, as the kinds of requirements we see in sites changes over time, we might find that we can modify the Strong Password Generator to ditch the 'exactly N digits' business altogether."

(Goldberg discussed some of the more technical decisions AgileBits has made with 1Password in an Ars forum thread last year.)

The above screenshots are from a Mac computer. The Windows version of 1Password looks a bit different, but it operates in a similar manner:

Now, the desktop application isn't the most convenient place to generate and retrieve passwords. That's why 1Password and other password managers come with browser extensions that automatically detect sites in which you might want to save existing passwords or generate new ones.

From the desktop application, click "preferences" and then "browsers" to install the extension in your browser of choice. If you click the extension within the browser, you'll get an interface that’s like a stripped-down version of the desktop one:

Like the desktop application, the extension provides a list of websites for which you have accounts:

And a password generator:

When you navigate to a site for which you have a saved login, clicking the browser extension will provide the option of filling the login fields. You can also take this opportunity to generate a stronger password for that site if you haven't already. If you navigate to a site for which you don't have password data saved, 1Password will (most of the time) offer to save it or help generate a new password.

The desktop application does allow you to copy passwords to your computer's clipboard and then manually paste them into a website form (using Control-V on Windows or Command-V on Mac.) By default, the password only remains in the clipboard a short period of time, such as 90 seconds. However, 1Password officials say it's more secure to let the browser extension fill in the data automatically to protect yourself from keylogging malware that reads keystrokes or text from the clipboard. You must always type your master password—do not store it in a file and copy and paste it—but 1Password uses a "secure input mode" to protect your master password from keyloggers by preventing applications from observing your typing. In the event your 1Password data file is stolen, AgileBits uses PBKDF2 technology to increase the amount of time it takes to run automated password guessing programs, making them impractical.

"Given how known keyloggers work, 1Password protects against them," Goldberg said. "This is all a bit of an arms race between password managers and keyloggers. Even though the good guys are ahead today, this is a game that is stacked against us in the long run. I think that the only reason that we remain in the lead is that the keylogger writers are content to keep their keyloggers simple at the cost (to them) of not getting the passwords from people who use well designed password managers."

Whether you use a password manager or not, the existence of keyloggers that can read passwords as you type them is just one more reason to practice good desktop security, using antivirus software and keeping your PC up to date with all the latest security fixes.

I've done the nonsense answer thing for a while with my benefits reminder Q&A at work for years. Best is when they let you enter your own question freeform -- that way you can enter a question that you can be sure someone will "know" the answer two and frustrate them with an answer that is a complete non-sequitur. For example: "What is the average airspeed of an unladen swallow?" makes for a fine question -- as long as the answer has absolutely NOTHING to do with Monty Python.

Random misdirection is one thing -- but a question that leads would be hackers down an entirely wrong path is altogether more fun.

That's a huge strike against the usability of password managers for mobile devices, and yet the alternative, writing things down on a piece of paper, is at its riskiest when the piece of paper is in a wallet together with your phone in a coat pocket or purse, since you are likely to lose them or have them stolen together. It seems like there may be an opening for Apple or another mobile vendor to produce an official password manager, and yet I can't help feeling that such a thing would instantly become the world's greatest hacking target.

I suppose the only thing to do is to either not use sites that have your credit card or other data on mobile devices, or reserve the use of the special password manager-embedded browsers to those sites.

Just a poor man's password manager solution for those who do not want to use someone else's password manager solution: I have an OpenSSL-encrypted shell script that generates a password by asking for the site's domain name, doing some transformations, SHA-512 it and base64 encode it. Whenever I need a password, I just enter the "master password" to decrypt that shell script, pipe it to bash, enter the domain name for the site and voila. Simple and effective.

I find myself going the strong password and good security practices route every now and then, only to give up in defeat and choosing the path of least resistance.

Complex passwords are great, until you have to enter them on a mobile device, or if you desperately have to log in to something when you don't have your mobile phone with you (not often, but it does happen in places where camera phones, or even phones in general are prohibited), or it's out of battery (now this happens a lot). The situation gets even more complex when 2FA comes into play.

Now you're stuck, and you try to reset your password, and realize that answers to all your secret questions were also a bunch of randomly generated strings (also, this is pretty fun when trying to phone support and getting asked questions to verify your identity).

Then you go fuck it all, and when you're back, change it all back to the path of least resistance.

I don't think it's that users are against choosing good security, but preferring to choose a balance between security and usability.

Complex passwords are great, until you have to enter them on a mobile device

The passwords for all the sites I sometimes use away from home are significantly weaker than the random throwaway sites I just toss into KeePass (and then, naturally, my bank password is mandated to be even weaker). It's a problem.

Somethings that I think are important to note about LastPass (and may exist in 1Password, but I haven't tried it, so I don't know):

1) It provides you the ability to enter your passphrase via a virtual keyboard, to minimize the risk when you're on a non-secure public computer2) It additionally provides a mechanism for one-time-only passwords that replace your passphrase to additionally minimize the risk when you're on a non-secure public computer3) It supports Google Authenticator for 2-factor authentication (which I appreciate quite a bit).

These tipped me over the edge and have made me really impressed with the amount of thought put into the password management systems available.

I've done the nonsense answer thing for a while with my benefits reminder Q&A at work for years. Best is when they let you enter your own question freeform -- that way you can enter a question that you can be sure someone will "know" the answer two and frustrate them with an answer that is a complete non-sequitur. For example: "What is the average airspeed of an unladen swallow?" makes for a fine question -- as long as the answer has absolutely NOTHING to do with Monty Python.

Random misdirection is one thing -- but a question that leads would be hackers down an entirely wrong path is altogether more fun.

The problem, though, is having people that NEED access to your accounts can get stymied as well, if you aren't careful.

That's a huge strike against the usability of password managers for mobile devices, and yet the alternative, writing things down on a piece of paper, is at its riskiest when the piece of paper is in a wallet together with your phone in a coat pocket or purse, since you are likely to lose them or have them stolen together. It seems like there may be an opening for Apple or another mobile vendor to produce an official password manager, and yet I can't help feeling that such a thing would instantly become the world's greatest hacking target.

I suppose the only thing to do is to either not use sites that have your credit card or other data on mobile devices, or reserve the use of the special password manager-embedded browsers to those sites.

KeePass (as I said before, I don't know the other alternatives that well) doesn't require a special browser on phones and tablets. Neither does LastPass (though LastPass does support an alternate browser). On Android, both put a notification in the shade to select either the user ID or password, so you can do that, then switch back to the browser of your choice.

Not necessarily, at least on Android. When I used KeePass for Android it allowed you to copy-paste the password from the database to your browser. If you don't want to use the Firefox Mobile or Dolphin extensions, LastPass also allows you web access to your database. From there, you can click a site to login, if memory serves.

Not only is the mobile experience bad, the desktop doesn't work that well either. Login forms tend to be on the front page of websites, and use fancy Javascript to show/hide the login box, which breaks the plugin. Also, the pages occasionally get redesigned in a way that hides the username/password from the browser plugin. You can re-save the password, but then you have to go in and manually copy over any extra data (i.e. security questions) that are saved in the entry. At this point (~2 years) less than half of the websites I visit regularly have functional auto-fill. Note: this applies to KeePass+KeeFox. I'm not sure about the other programs

One huge - and fairly easy - change would be for websites to provide a simple login page with stable HTML markup, and no nasty Javascript that makes password managers break. (And a way to find the page, which is often a problem today.)

Maybe Ars could lead here? In the process, Ars could change the login page to be served as HTTPS at the top level, and fix the man-in-the-middle security vulnerability.

Not only is the mobile experience bad, the desktop doesn't work that well either. Login forms tend to be on the front page of websites, and use fancy Javascript to show/hide the login box, which breaks the plugin. Also, the pages occasionally get redesigned in a way that hides the username/password from the browser plugin. You can re-save the password, but then you have to go in and manually copy over any extra data (i.e. security questions) that are saved in the entry. At this point (~2 years) less than half of the websites I visit regularly have functional auto-fill. Note: this applies to KeePass+KeeFox. I'm not sure about the other programs

One huge - and fairly easy - change would be for websites to provide a simple login page with stable HTML markup, and no nasty Javascript that makes password managers break. (And a way to find the page, which is often a problem today.)

Maybe Ars could lead here? In the process, Ars could change the login page to be served as HTTPS at the top level, and fix the man-in-the-middle security vulnerability.

I would appreciate a nice, straightforward login page for more websites (maybe lastpass could even offer a tab to help "convert" URLs it has stored into more direct-to-login URLs). Barring that, however, I find if you fill in all the boxes like you would to log in, and then have lastpass capture the fields (while that javascript bit is open or whatnot), it tends to do a pretty good job of capturing the fields and only minor editing is required.

It makes the assumption that hackers have access to the password in some form (e.g. the MD5 hashes mentioned in the earlier article), then proposes creating passwords that are so complex that they cannot be cracked with using current techniques and hardware. Since those passwords are too complex to remember, password managers are proposed.

I can tell you exactly what will happen if password managers become commonplace: hackers will start focussing their attacks on the password managers. Once they have a viable attack on the password manager, they are going to have a comprehensive list of your account credentials. That means all of your accounts, not just one.

The reality is that the security has to be managed by the site in cases like this, and about the only thing that you can do to protect yourself is to use different passwords for different services (and to minimize how much the site knows about other services that you may use). The worse thing that you can do is open up additional vectors for attackers, which is essentially what a password manager is.

Complex passwords are great, until you have to enter them on a mobile device, or if you desperately have to log in to something when you don't have your mobile phone with you (not often, but it does happen in places where camera phones, or even phones in general are prohibited), or it's out of battery (now this happens a lot). The situation gets even more complex when 2FA comes into play.

Now you're stuck, and you try to reset your password, and realize that answers to all your secret questions were also a bunch of randomly generated strings (also, this is pretty fun when trying to phone support and getting asked questions to verify your identity).

That's why there's keepass/lastpass clients for pretty much every mobile device ever, also keep my keepass database with portable executables on my keychain (and don't login to untrustworthy terminals.) I don't even bother with the mobile apps, I just copy it to my KDE clipboard and let klipper generate a barcode, then I scan it from my screen, paste it into the form and let the app/browser store that info or use a cookie. There's a few that I don't keep in my keepass database, but it's nice to take off the majority of the burden and not have to worry too much when my data is in the hands of some dumbass web dev.

I also don't see how the last is an issue if it's just a few random characters. The idea is to not use dumb answers that someone can easily figure out just by knowing you and to not use the same answer on every site at least. With any decent password manager there exists a comment section where you can include that information.

How abut the fact it's not secure in any way. Did you even read the article and the two previous articles on the subject?A simple word + word + word dictionary attack will crack it very easily.

And m0msFr3nchT0@st isn't any more secure because it'sword + word + word with standard letter <--> number subsitition thrown in. Which any cracker software should do.

However if you did M6m2F4en7h7oa92 that would be better. It's still based on momsfrenchtoast but I did random letter <--> number subsitution. But it still suffers from the fact it's only basic alphanumeric. You'd want to add in a $ or ( and a space and maybe something else. So you end up with "M m2F(en7h7oa92!&"

I've mutated your simple and insecure momsfrenchtoast to something that is secure. But of course now you can't remember the stupid thing.

I can tell you exactly what will happen if password managers become commonplace: hackers will start focussing their attacks on the password managers. Once they have a viable attack on the password manager, they are going to have a comprehensive list of your account credentials. That means all of your accounts, not just one.

Good. Password managers are designed from the ground up to be high security and difficult to attack. Most websites are not.

The only viable way to attack password managers (most of them, anyways) is locally on the end-user's computer. If the attacker has access to your computer, you are screwed. Sure, the password manager can minimize the risk by through secure input and whatnot, but the reality is, if you can access the password vault, so can the attackers.

Additionally, attacks against password managers have to be done individually. Hitting a website can net you millions of different passwords. Hitting a manager only nets you one. Sure, it sucks to be that user, since he loses all his passwords, but "cybercrime" doesn't pay if you're attacking users one-by-one.

The discoverability is still a problem - a forum comment doesn't exactly make that login page easy to find. [Edit: As Lee points out below, there is actually a link to this version of the login in the JavaScript popup. I just didn't see it.]

And - not an Ars problem - updating my KeePass entry took probably 2 minutes (add a new entry, make sure it works, make sure there's no extra data in the old entry, delete it). It would be really nice if KeePass had a way to update the login page info, without creating a new entry.

I would like there to be a password manager on my smart phone that communicates with my desktop via bluetooth or NFC. That was all my passwords would be under my control and not in the cloud. I will pass on these other solutions.

It would be great if every site had a well defined plain text login screen that is only intened for use by a password manager. The standard could be that it is always called https://aaaa.com/passmgrctrl or such. aaaa is just a placeholder. That would be really useful. It should also support changing passwords so that the manager can change the password. It should present the password rules. It should limit use so that fast attacks are not allowed.

Not only is the mobile experience bad, the desktop doesn't work that well either. Login forms tend to be on the front page of websites, and use fancy Javascript to show/hide the login box, which breaks the plugin. Also, the pages occasionally get redesigned in a way that hides the username/password from the browser plugin. You can re-save the password, but then you have to go in and manually copy over any extra data (i.e. security questions) that are saved in the entry. At this point (~2 years) less than half of the websites I visit regularly have functional auto-fill. Note: this applies to KeePass+KeeFox. I'm not sure about the other programs

With LastPass (Firefox extension on Desktop), my failure rate has been about 5%.

Just a poor man's password manager solution for those who do not want to use someone else's password manager solution: I have an OpenSSL-encrypted shell script that generates a password by asking for the site's domain name, doing some transformations, SHA-512 it and base64 encode it. Whenever I need a password, I just enter the "master password" to decrypt that shell script, pipe it to bash, enter the domain name for the site and voila. Simple and effective.

How exactly is that the poor-man's solution? KeePass is certified FOSS, available for whatever contribution you feel approptiate.

I can tell you exactly what will happen if password managers become commonplace: hackers will start focussing their attacks on the password managers. Once they have a viable attack on the password manager, they are going to have a comprehensive list of your account credentials. That means all of your accounts, not just one.

I think you're missing something very important here - password managers are specifically designed to be extremely difficult to defeat the encryption.

That's the key here. If all passwords are salted and hashed using an expensive algorithm, it's prohibitively expensive for a hacker to obtain actual passwords from a hacked database unless they're targeting one specific account.

Unfortunately, we can't rely on websites storing passwords securely, and thus we need to use long random passwords to keep our accounts safe from attacks.

Unlike websites, we can rely on our password manager having excellent security, because that's what it was designed for. Is it a foolproof solution? No, but of the available options it's by far the best.

Not only is the mobile experience bad, the desktop doesn't work that well either. Login forms tend to be on the front page of websites, and use fancy Javascript to show/hide the login box, which breaks the plugin. Also, the pages occasionally get redesigned in a way that hides the username/password from the browser plugin. You can re-save the password, but then you have to go in and manually copy over any extra data (i.e. security questions) that are saved in the entry. At this point (~2 years) less than half of the websites I visit regularly have functional auto-fill. Note: this applies to KeePass+KeeFox. I'm not sure about the other programs

With LastPass (Firefox extension on Desktop), my failure rate has been about 5%.

It's even lower with KeePass -- especially if you take a moment to configure the autotype options when you create the entry. It also handles non-browser apps that require passwords, so it's pretty flexible.

It would be great if every site had a well defined plain text login screen that is only intened for use by a password manager. The standard could be that it is always called https://aaaa.com/passmgrctrl or such. aaaa is just a placeholder. That would be really useful. It should also support changing passwords so that the manager can change the password. It should present the password rules. It should limit use so that fast attacks are not allowed.

This seems technically possible. Maybe if we get enough people using password managers it would happen. Just add an http header like

Code:

<link rel="auto-login-page" href="https://example.com/login.xml" />

and let the KeePass/LastPass plugin detect it and provide a "login" button in the browser's UI. Or any of hundreds of other implementations - it isn't all that hard a problem, just one that requires coordination.

I'm glad Ars has given this a more in-depth article as it's an important topic. Password managers are an unfortunately necessary hack to help deal with utterly non-existent standards when it comes to authentication. There are many approaches sites could use to improve the situation, ranging from a standard hidden form field that could accept a hash from a compliant program in lieu of a password all the way up to certificates (either of which could eliminate the issue of leaks), but those approaches of course do require sites to take action and there has yet to be any strong movement from that. In the mean time we're stuck with a wide variety of non-standard and often mediocre name/pass forms, and a password manager is critical to handling that. I don't get what

Quote:

such as challenges in setting up a network of trusted third parties to handle authentication

means since there should be no third parties involved with authentication and none are necessary beyond the initial SSL connection, but the sentiment that most sites are lazy is unfortunately quite correct.

Regarding email:

Quote:

For this, it may be wise to use a secondary e-mail address that you don't use to communicate with anyone.

One addition to this that I would suggest looking at for people who own a domain is aliases. Email services (particularly free ones included with the domain) typically have a low number of allowed mailboxes. But all decent services should also allow adding an effectively unlimited number of aliases to any given mailbox, which in turn makes it easy to have a unique email address for every site. I use standard naming of domain.com-username@mydomain.com. That's useful particularly in dealing with spam and as an early warning system for hacks. The only mail that should ever come to the alias domain.com-username@mydomain.com is from domain.com. If I suddenly notice email arriving from somewhere else, then either domain.com has decided to deal with spammers or their database has been hacked.

Not only is the mobile experience bad, the desktop doesn't work that well either. Login forms tend to be on the front page of websites, and use fancy Javascript to show/hide the login box, which breaks the plugin. Also, the pages occasionally get redesigned in a way that hides the username/password from the browser plugin. You can re-save the password, but then you have to go in and manually copy over any extra data (i.e. security questions) that are saved in the entry. At this point (~2 years) less than half of the websites I visit regularly have functional auto-fill. Note: this applies to KeePass+KeeFox. I'm not sure about the other programs

Doesn't keepass2 on win support autotype natively without an extension? and I've only encountered one website (paypal) that breaks, and that's only with the most recent overhaul of their design

The discoverability is still a problem - a forum comment doesn't exactly make that login page easy to find.

And - not an Ars problem - updating my KeePass entry took probably 2 minutes (add a new entry, make sure it works, make sure there's no extra data in the old entry, delete it). It would be really nice if KeePass had a way to update the login page info, without creating a new entry.

I agree it's not ideal, but if you look closely at the login popup there is a link to the standalone login form. We're definitely open to changing it, but the popup login does offer some convenience IMO. Perhaps with a bit of tweaking we can get the password managers working better with the popup.

A password manager only works if you use it, and I couldn't commit to the user experience of a password manager until I found Dashlane. I feel Dashlane deserves a mention in this article, since it certainly compares to 1Password, LastPass and company.

Dashlane Dashlane provides a smart (and easy-to-use) cross-platform desktop app paired with great browser plugins and mobile apps for iOS and Android. Fully-encrypted syncing is built in (not a 3rd-party function), with the only key tied to your master password. Your private data can only be decrypted locally, with 2-step verification for any new devices. The company recently moved to a more mature business model of $20/year for synced service between 2 or more devices, but your first device is still a free place to start.

I've used Dashlane for a year and appreciated it as a brand new password manager built around secure syncing and a great application/plug-in experience. They are steadily improving their service and I'm impressed at how efficiently they respond to bugs and suggestions.

Unfortunately, Dashlane is now more expensive than LastPass or 1Password. Still, none of the other managers give me everything I want. I prefer a dedicated app (easier to maintain than a browser-based solution), built-in syncing (less worrisome than 3rd-party patches) and a good-looking easy-to-use UI (easier to learn and troubleshoot for the less technically-inclined).

I recently signed up for online bill pay with my bank and found out they only accept letters and numbers as a password. I will definitely be using a password manager going forward just to provide more security for such issues.

such as challenges in setting up a network of trusted third parties to handle authentication

means since there should be no third parties involved with authentication and none are necessary beyond the initial SSL connection, but the sentiment that most sites are lazy is unfortunately quite correct.

In the scenario that part of the article discusses, the third parties would be similar to certificate authorities.

Not only is the mobile experience bad, the desktop doesn't work that well either. Login forms tend to be on the front page of websites, and use fancy Javascript to show/hide the login box, which breaks the plugin. Also, the pages occasionally get redesigned in a way that hides the username/password from the browser plugin. You can re-save the password, but then you have to go in and manually copy over any extra data (i.e. security questions) that are saved in the entry. At this point (~2 years) less than half of the websites I visit regularly have functional auto-fill. Note: this applies to KeePass+KeeFox. I'm not sure about the other programs

Doesn't keepass2 on win support autotype natively without an extension? and I've only encountered one website (paypal) that breaks, and that's only with the most recent overhaul of their design

Yes it does, at least on Windows. Ctrl-Alt-A calls KeePass, and autofills if you've already logged into KeePass. If you aren't logged in, you get a log-in prompt first. If the log-in screen matches multiple entries in your KeePass database, it gives you a nice list of accounts to choose from.